[tac_plus] tacacs+ custom reply messages

Chandan Kumar chandank.kumar at gmail.com
Mon Feb 23 16:42:04 UTC 2015 

Hi Heasley,

Thanks for your response. Basically I am not able to get a working example
of how to use those AVPs in tac_plus.conf. Whatever I have used so far,
they appear to have no impact on the server at all. [the basic
authentication using file /etc/passwd is working though].


While googling I mostly get examples of how to configure CISCO device
[client side] and very limited configuration examples associated with
server configuration other than the file that is packaged with the tac_plus
source code itself.

Example 1:

I want to send a prompt message to host connecting from 192.168.2.53


default authentication = file /etc/passwd

host = 192.168.2.53 {
    prompt = "Welcome\n"
  }

Now when I login, I do not see any "welcome" attched in the reply message
in wireshark. I only see

Status: 0x1 (Authetication Passed)
Flags : 0x0
Server message length : 0
Data Lengh :0

I would appreciate if you could provide a working example of tac_plus.conf
with some AVPs either at authentication or at authorization phase.

I would appreciate any help in this regard.


Thanks
Chandan

PS: In RADIUS it is very simple to send a reply with auth example:

joe     Cleartext-Password := "1234"
        Reply-Message := "Welcom"

On auth success, the server sends this welcom string, which could be used
by the client side to provide additional functionality. [I agree it is not
the best way to do, this example is only for illustration purpose]



--
http://about.me/chandank

On Sat, Feb 21, 2015 at 1:59 PM, heasley <heas at shrubbery.net> wrote:

> Fri, Feb 20, 2015 at 12:01:03PM -0500, Chandan Kumar:
> > Hello All,
> >
> > I am using tacacs+ server to autheticate Linux machines [CentOS-6] and
> > using pam_tacplus.so. The basic authentication works perfect.
> >
> > I have a question regarding reply message from tacacs+ server. Unlike
> > RADIUS I do not find any "Reply-Message" type of field in server
> > configuration of TACPLUS server. Is there any way either during
> > authorization or authentication phase to send a custom reply message or
> any
> > flag, which could be used by the pam module to customize user info. [I
> will
> > modify the pam module accordingly]
>
> sorry for the 2nd msg; but in theory you could pass anything that you want
> back to the agent with optional AVPs; again see tac_plus.conf.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.shrubbery.net/pipermail/tac_plus/attachments/20150223/af310a54/attachment.html>

More information about the tac_plus mailing list